New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 789407 link

Starred by 3 users
Status: WontFix
Owner:
bsazonov@chromium.org
Closed: Dec 2017
Cc:
ew...@chromium.org
tedc...@chromium.org
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: In my view this is a failure of sign out security in 2 steps

Reported by mail4j...@gmail.com, Nov 29 2017 

VULNERABILITY DETAILS
This involves 2 bugs in my view:
1) When Chrome tab is closed on my mobile it will not sign me out of my google account.

2) When google account os removed from Settings of my mobile, it will not sign me out of my account.

Thus even if a user performs both the above steps(1 and 2), the user will not be signed out of his Google account on my mobile.

VERSION
62 
detalils are on the screenshot attached.

REPRODUCTION CASE
Since this involves the login details of my account, I have not provided any additional html files for reproducing the bug.
Screenshot_2017-11-29-10-46-51.png
46.3 KB View Download
Screenshot_2017-11-29-10-53-31.png
70.4 KB View Download
Screenshot_2017-11-29-10-53-37.png
89.5 KB View Download

Comment 1 by palmer@chromium.org, Nov 29 2017

Cc: tedc...@chromium.org ew...@chromium.org
Components: Services>SignIn UI>SignIn Services>Sync
Labels: Needs-Feedback OS-Android
To make sure I understand correctly: Is it the case that you sign into your Google account in Android, and then you are automatically signed into Google services in Chrome as well? Or, do you sign into your Google account in Android and then again in Chrome?

Problem (2) suggests to me it's the latter case, but I'm not sure. If it is the latter case, you might find that Incognito mode meets your requirements in problem (1).

In any case, using the Sign Out button in a Google service in Chrome should work to log you out of your account from Chrome's perspective.

tedchoc, ewald: Who is a good authentication expert for Chrome on Android?

Comment 2 by tedc...@chromium.org, Nov 29 2017

Owner: bsazonov@chromium.org
+bsazonov for Android sign in expertise

Comment 3 by raymes@chromium.org, Nov 29 2017 

From the report it sounds to me like signing out in Android settings (Settings>Users & Accounts>Remove Account) isn't signing out of Chrome as well. But I might be misinterpreting the report.

mail4jans@ could you confirm the precise steps to reproduce the problem.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 30 2017

Status: Assigned (was: Unconfirmed)

Comment 5 by palmer@chromium.org, Nov 30 2017

Labels: Security_Impact-Stable

Comment 6 by ew...@chromium.org, Nov 30 2017 

+1 to precise repro steps. Removing your account from the OS should in fact sign you out of Chrome. At least, that was the behavior the last time I tried it out.

Comment 7 by raymes@chromium.org, Dec 3 2017 

mail4jans: are you able to provide more details? If not we will have to close this due to a lack of information.

Comment 8 by palmer@chromium.org, Dec 4 2017

Status: WontFix (was: Assigned)
If more details arise, we can re-open this.
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 13 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment